Header checking disabled¶
ID: cs/web/disabled-header-checking Kind: problem Severity: warning Precision: high Tags: - security - external/cwe/cwe-113 Query suites: - csharp-code-scanning.qls - csharp-security-extended.qls - csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
This rule finds places in the code where header checking is disabled. When header checking is enabled, which is the default, the
\n characters found in a response header are encoded to
%0a. This defeats header-injection attacks by making the injected material part of the same header line. If you disable header checking, you open potential attack vectors against your client code.
Do not disable header checking.
Common Weakness Enumeration: CWE-113.